Spear Phishing a Part of Russia’s Intervention in 2016 Election

The afternoon of July 13, Special Counsel Robert Mueller posted the indictment returned by the grand jury of 12 Russian nationals, all associated with the GRU (Russian military intelligence) Unit 26165 and Unit 74455. As we wrote in a June 2016 piece about hacking politics, the Russian’s were placing their hand on the scales of the election, as they had attempted numerous times over the years. The uniqueness of the 2016 election was the availability of information online, and the poor cyber hygiene on the part of individuals and organizations. A combination which made the online attacks by the GRU both possible and bountiful.

The Indictment

The Department of Justice indictment charges 11 defendants with conspiracy to commit computer crimes, eight counts of aggravated identity theft, and conspiracy to launder money. Two defendants are charged separately with conspiracy to commit computer crimes.

The indictment also identifies Guccifer 2.0, which was purported to be a lone Romanian hacker, as a fictitious creation of the GRU. Similarly, the website and social media accounts associated with DCLeaks was also a creation of the Russian military intelligence.

The primary methodology used was phishing. Instead of sending out broad email blasts to various email domains or organization members, the Russians engaged in a good deal of research in identifying those individuals with the required or desired access. Once these individuals were identified, an email ostensibly from a colleague was sent containing an attachment or a link for the recipient to click – they were spear phished.

Once the individual opened the attachment or clicked on the link a variety of malware tools were loaded onto the user’s device. The two primary tools allowed Russian military intelligence to capture all of the keystrokes of the device and also capture screen shots of the user’s screen. This allowed the login credentials of many users to be harvested and then exploited separately from the user’s device. The GRU now had the ability to mimic the user and as such, access the various servers and cloud storage environments used by the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC).

The information harvested from the DNC and DCCC was then shared with Wikileaks (identified as “Organization 1” in the indictment) who posted it on their site, without attribution to Guccifer 2.0.

The indictment also reveals the existence of correspondence between the GRU and third parties interested in the content of the DCCC and DNC theft. For example, an unidentified candidate for congress requested information on their opponent. A journalist requested access to the data and offered to write about the GRU operation (not writing that the GRU were behind the operation).

Interestingly, during these exchanges, Wikileaks wrote in July – immediately prior to the Democratic Convention – that they assessed that then candidate Donald Trump only had a 25 percent chance of winning. Wikileaks is seen to further urge the person they knew as Guccifer 2.0 to allow them access to greater amounts of information. The Russians provided Wikileaks direct access to the data stores, which Wikileaks downloaded and subsequently shared.

No U.S. Involvement in Russian Aggression

The Deputy Attorney General Rosenstein was explicit in his admonishment that no U.S. person participated in this activity conducted by the Russian military intelligence. Within the indictment it is revealed a variety of online services ranging from cloud storage to domain registrations occurred via services located around the globe, to include the United States.

The level of detail contained in the indictment is indicative of having direct access to the GRU logs and perhaps a GRU source who was able to relate the discussions, tasking and results over the course of the GRU effort.

is Arrest likely?

The arrest of these individuals from Russian Military Intelligence is highly unlikely. What the indictment does is limit the ability of the individuals to travel to various countries in fear that they will be arrested and rendered to the United States to face these charges.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).